The world of social media – be it Facebook, Twitter, Instagram or countless others – is complicated because it’s a mix of the personal (“here is a photo of my daughter at camp”), commercial (“Jim likes Visa”), and often, something in between (“I can’t believe what my employer, XYZ Corp., is doing – it’s so unfair…”).

But its use by employees can also be downright unacceptable. Employees have used social media to sexually harass other employees. Hospital workers have used it to post patient pictures and protected health information. At other times, employees have revealed confidential financial information about their companies through their social media accounts. Such conduct exposes employers to serious legal and compliance risks. As a result, internal auditors are being asked to develop safeguards around legitimate uses of social media in the workplace and to actively defend against its misuse.

This task, however, presents a formidable challenge, and auditing compliance with corporate social media policies has recently been made more difficult by the need to also comply with the laws that limit an employer’s ability to examine an employee’s or a job applicant’s social media postings. These laws have already been passed by 12 states and similar legislation is pending in over 30 more.[1]

At first blush, these laws champion a new level of e-privacy by prohibiting employers from requiring employees to provide them with their user names and passwords for their personal social media accounts – a step most of us would welcome as a good idea. The reality, however, is much more complex because these laws may also – inadvertently, in some cases – limit an employer’s ability to access employee accounts when conducting legitimate and necessary internal investigations. An additional obstacle is that each statute provides different definitions and scopes of privacy protection. For example, while some laws have exceptions for employee misconduct, other statutes have no such exceptions.

For the foreseeable future, we can expect more regulation in this area. As auditors and compliance professionals, we must make sure we are on the right side of the law even as we work to ensure other regulations and laws haven’t been broken. Before you begin your audits or investigations, make sure you know whether any of these laws apply and exactly what you are permitted to do.